I just got back from a government technology summit in Washington DC. It was hosted by Amazon Web Services (AWS), the leader in the Cloud technology space. I was speaking to someone from the CIA (who will remain anonymous) who was responsible for implementing the outcome of the deal between AWS and the CIA for $600M. The one where IBM attempted to sue the US Government for selecting AWS and lost. The public only knows about this because IBM decided to sue AWS.
As with all things new, there comes a reckoning. It was IBM’s turn to recognize that they had been clearly beaten by a provider that was far superior to their offering. And obviously for the CIA, far more secure.
That was in 2013. In the past 4 years, AWS has vastly accelerated their security offerings.
We all agree that there are bad guys out there. Super smart cyber hackers ready to push the boundaries and hold your company’s data for ransom, just ask Hillary Clinton. If you’re in charge of security, you have decisions to make every day to keep the bad guys out. Would you rather have an army of the best security engineers in the world at your defence, or the three guys you have working on your team? The answer is pretty obvious.
The Cloud is that army of security engineers. Your own aircraft carrier of world leading analysts, tools and specialists at your protection.
Let’s be clear, there would be no cloud without extremely robust security. Forget the CIA, no one would trust it. Instead we have large government entities from around the world, not to mention the largest corporations like GE and Johnson & Johnson accelerating their adoption of Cloud and going all-in.
This is why AWS calls security ‘job zero’.
So what is AWS doing about security that’s not available in your own data centre or rented facilities (co-locations)? Why is the Cloud more secure?
Let's start with the long list of compliance standards that AWS attest to. Not to bore you with details but it includes things like protecting credit card data with PCI, or personal health information with HIPAA, SOC for financial information, plus defence and government standards like ITAR and FedRAMP. Anyone who has worked with these Standards understands they are no walk in the park but they are hard requirements in a variety of industries. They involve many items including physical security, access to logs, networking security, procedures and much more, which are controls that are frequently proven with ongoing audits. Achieving this high level of security and compliance standard is prohibitive but to only the largest organisations in the world. You automatically get your environment with all these standards once you sign up for an AWS account.
The biggest vulnerability in security is people. Because we do things manually, miss things and make mistakes. If we can reduce or eliminate people from the heavy lifting, then we could increase our protection. Instead of people in the Cloud, we use software, and the reckoning here is that the Cloud is driven by software or better defined as Infrastructure-as-Code. What’s powerful about code is you can version it, control it, understand who wrote it or changed it. It automates your environments and specifically all your security controls. You can enforce policies and remove bad actors. You can control your network, server, storage and all services in AWS with code and thus security is baked into every AWS service. A great example of this is the AWS service called CloudTrail which logs most services on AWS ensuring you know exactly what’s goes on in your environment, and can be turned on with a single click, or better yet, one line of code. Some other tools are the Web Application Firewall (WAF), which defends against common web exploits, the Amazon Inspector which continually assesses your systems for security flaws and AWS Shield, which automatically protects you from Distributed Denial of Service (DDoS) Attacks, which is unfortunately common these days.
Among the other big vulnerabilities are operating systems like Windows and Linux which billions of our systems depend on. The latest WannaCry episode was unfortunately a great example where the bad guys hunted out any unpatched Windows Operating Systems. In the Cloud these systems can be automatically patched and you would have completely avoided this vulnerability. It would have secured you… automatically.
If security is important to you and you plan to grow or use technology in your organisation, the cloud enables you to be secure and grow fast. Until now these were contradictory terms. How can you grow fast when you have security team members on your back who want less change and more status quo (no offence security folks, we understand you’re doing your job). That’s where you combine the cloud security posture with software and automation and move fast because security is baked into everything you do. Security people are happy.
Okay, this all sounds too good to be true, right? Well you can definitely have your security cake and eat it, however, there is a lot of responsibility you must bear when you architect and deploy your systems on AWS. There is a shared responsibility model to incorporate. AWS only protects what’s in AWS, everything from the hypervisor and below. Above the Hypervisor it’s your job to protect that, and protect your data. You have a universe of advanced tools inside AWS to do this and it can all be automated with code.
If you're thinking about Cloud, and still learning, or looking for an organisation who really understands cloud, we advise you get some help from professional consultants like TriNimbus on AWS (it was time for a personal plug) to advise you on best practices and get your tenancy secured on AWS.